Do you know how your organisation manages your cyber risk? If there was a breach, how would you and your team react?
These questions are not only relevant for cyber or compliance teams – each supplier that an organisation engages with opens another potential avenue for entry for cyber attackers. From HR and payroll software to cloud services to the myriad of other third-party services that organisations use to run and support their offerings, every team is linked into this network.
The cyberattack on Kaseya at the beginning of July was certainly a stark reminder of the importance of cybersecurity and cyber resilience in digital supply chains. In the immediate aftermath, Kaseya was unable to pinpoint the exact source of the hack, noting only that it wasn’t a phishing attack. Of course, new cyberthreats and methods of hacking are constantly emerging, which is why an organisation’s risk mitigation and management plan is key to ensuring cyber resilience.
In light of this breach, it may be worth reviewing your organisation’s cyber resilience posture, taking into account not only your current cybersecurity measures, but any actions that would need to be taken in the case of a cyberattack or data breach. Here are a few things to consider as this process is reviewed:
Ensure your cyber and compliance questionnaire is up-to-date. Whenever your organisation onboards a third-party, they should fill out a compulsory questionnaire on their cyber and compliance status, which should be updated at regular intervals. Make sure the questions are relevant to emerging cyber threats as well as existing ones, and ensure that the questionnaire is filled out at time to maintain compliance. Tools like CyDesk can help your organisation with this, by sending out questionnaires at set times.
Consistently monitor emerging threats, as well as historic cyber risk patterns. Your security team should be ensuring ongoing monitoring of cyber threats – though, of course, with the volume of today’s threats, this is a near-impossible task. CyDesk collates and analyses risk data from a variety of sources, including various data streams, chatter and news, to give your organisation the big picture of your organisation’s cybersecurity and third-party risk status.
Have a plan of action if an attack occurs. If your offering is dependent on a certain outsourced service or supplier, ensure that you have a back-up in case it is somehow compromised. Even for services that may not critical, make sure that your organisation is structured in a way that a hack into one team’s third-party can be managed to protect the rest of your organisation.
Hacks will happen – we can’t predict every potential cyberattack. But how your organisation responds to a hack can and will set it apart, heightening cyber, business and operational resilience.